Actions
List Incidents
Gets a list of incident objects that Microsoft Defender XDR (formerly known as 365 Defender) created to track attacks in an organization.
- Least privileged Microsoft Graph permission to access the action via application:
SSecurityIncident.Read.All*
. - Higher privileged Microsoft Graph permission to access the action via application:
SecurityIncident.ReadWrite.All
.
External Documentation
To learn more, visit the Microsoft Defender XDR documentation.
Parameters
Parameter | Description |
---|---|
Count | The $count query parameter is used to retrieve the count of the total number of items in a collection or matching an expression. For more information on using $count , refer to Microsoft Query Parameters Documentation. |
Expand | The $expand query string parameter is used to include the expanded resource or collection (like alerts ) referenced by a single relationship (navigation property) in your results. For more information on using $expand , refer to Microsoft Query Parameters Documentation. |
Filter | The $filter query parameter is used to retrieve a subset of a collection. For more information on using $filter , refer to Microsoft Query Parameters Documentation.The following properties are supported: * assignedTo * classification * determination * createdDateTime * lastUpdateDateTime * severity * status |
Skip | The $skip query parameter is used to set the number of items to skip at the start of a collection. For more information on using $skip , refer to Microsoft Query Parameters Documentation. |
Top | The $top query parameter is used to specify the number of items to be included in the result. For more information on using $top , refer to Microsoft Query Parameters Documentation. |
Example Output
Workflow Library Example
List Incidents with Microsoft Defender Xdr and Send Results Via Email
Preview this Workflow on desktop
Was this page helpful?